Handover method with link failure recovery, wireless device and base station for implementing such method

ABSTRACT

For each target cell determined by a handover decision process, a first message is transmitted from a source base station ( 20 S) to a target base station ( 20 T) servicing that target cell. The first message includes an identifier of a wireless device ( 10 ) having a communication link with the source base station and information for obtaining authentication data for this wireless device. The authentication data depends on a secret key available to the wireless device and the source base station and on an identity of the target cell. Upon failure of the communication link, a cell is selected at the wireless device, which transmits to that cell a reestablishment request message including its identifier and authentication data depending on the secret key and on an identity of the selected cell. If the selected cell is a target cell serviced by a target base station that received a first message, conformity of the authentication data included in the reestablishment request message with the authentication data obtained from this first message is verified to authorize transfer of the communication link to the selected cell.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S.application Ser. No. 15/065,419, filed on Mar. 9, 2016, which is acontinuation of U.S. application Ser. No. 12/189,586, filed on Aug. 11,2008 (now U.S. Pat. No. 9,319,935), which claims priority of the benefitof U.S. Provisional Application No. 60/955,382, filed on Aug. 12, 2007,the entire contents of which are all hereby incorporated herein byreference.

BACKGROUND OF THE INVENTION Field of the Invention

The present invention relates to mobility management for wirelessdevices in a cellular communications network, and in particular tocontrolling handover of a wireless device from one cell of the networkto another. While it is described below in the context of an LTE (“longterm evolution”) type of cellular network for illustration purposes andbecause it happens to be well suited to that context, those skilled inthe communication art will recognize that the invention disclosed hereincan also be applied to various other types of cellular networks.

Discussion of the Related Art

Universal mobile telecommunications system (UMTS) is a 3rd Generation(3G) asynchronous mobile communication system operating in wideband codedivision multiple access (WCDMA) based on European systems, globalsystem for mobile communications (GSM) and general packet radio services(GPRS). The long term evolution (LTE) of UMTS is under discussion by the3rd generation partnership project (3GPP) that standardized UMTS.

The 3GPP LTE is a technology for enabling high-speed packetcommunications. Many schemes have been proposed for the LTE objectiveincluding those that aim to reduce user and provider costs, improveservice quality, and expand and improve coverage and system capacity.The 3G LTE requires reduced cost per bit, increased serviceavailability, flexible use of a frequency band, a simple structure, anopen interface, and adequate power consumption of a terminal as anupper-level requirement.

FIG. 1 is a block diagram illustrating network structure of an evolveduniversal mobile telecommunication system (E-UMTS). The E-UMTS may bealso referred to as an LTE system. The communication network is widelydeployed to provide a variety of communication services such as voiceand packet data.

As illustrated in FIG. 1, the E-UMTS network includes an evolved UMTSterrestrial radio access network (E-UTRAN) and an Evolved Packet Core(EPC) and one or more user equipment. The E-UTRAN may include one ormore evolved NodeB (eNodeB, or eNB) 20, and a plurality of userequipment (UE) 10 may be located in one cell. One or more E-UTRANmobility management entity (MME)/system architecture evolution (SAE)gateways 30 may be positioned at the end of the network and connected toan external network.

As used herein, “downlink” refers to communication from eNodeB 20 to UE10, and “uplink” refers to communication from the UE to an eNodeB. UE 10refers to communication equipment carried by a user and may be also bereferred to as a mobile station (MS), a user terminal (UT), a subscriberstation (SS) or a wireless device.

An eNodeB 20 provides end points of a user plane and a control plane tothe UE 10. MME/SAE gateway 30 provides an end point of a session andmobility management function for UE 10. The eNodeB and MME/SAE gatewaymay be connected via an S1 interface.

The eNodeB 20 is generally a fixed station that communicates with a UE10, and may also be referred to as a base station (BS) or an accesspoint. One eNodeB 20 may be deployed per cell. An interface fortransmitting user traffic or control traffic may be used between eNodeBs20.

The MME provides various functions including distribution of pagingmessages to eNodeBs 20, security control, idle state mobility control,SAE bearer control, and ciphering and integrity protection of non-accessstratum (NAS) signaling. The SAE gateway host provides assortedfunctions including termination of U-plane packets for paging reasons,and switching of the U-plane to support UE mobility. For clarity,MME/SAE gateway 30 will be referred to herein simply as a “gateway,” butit is understood that this entity includes both an MME and an SAEgateway.

A plurality of nodes may be connected between eNodeB 20 and gateway 30via the S1 interface. The eNodeBs 20 may be connected to each other viaan X2 interface and neighboring eNodeBs may have a meshed networkstructure that has the X2 interface.

FIG. 2(a) is a block diagram depicting an architecture of a typicalE-UTRAN and a typical EPC. As illustrated, eNodeB 20 may performfunctions of selection for gateway 30, routing toward the gateway duringa Radio Resource Control (RRC) activation, scheduling and transmittingof paging messages, scheduling and transmitting of Broadcast Channel(BCCH) information, dynamic allocation of resources to UEs 10 in bothuplink and downlink, configuration and provisioning of eNodeBmeasurements, radio bearer control, radio admission control (RAC), andconnection mobility control in LTE_ACTIVE state. In the EPC, and asnoted above, gateway 30 may perform functions of paging origination,LTE-IDLE state management, ciphering of the user plane, SystemArchitecture Evolution (SAE) bearer control, and ciphering and integrityprotection of Non-Access Stratum (NAS) signaling.

FIGS. 2(b) and 2(c) are block diagrams depicting the user-plane protocoland the control-plane protocol stack for the E-UMTS. As illustrated, theprotocol layers may be divided into a first layer (L1), a second layer(L2) and a third layer (L3) based upon the three lower layers of an opensystem interconnection (OSI) standard model that is well-known in theart of communication systems.

The physical layer, the first layer (L1), provides an informationtransmission service to an upper layer by using a physical channel. Thephysical layer is connected with a medium access control (MAC) layerlocated at a higher level through a transport channel, and data betweenthe MAC layer and the physical layer is transferred via the transportchannel. Between different physical layers, namely, between physicallayers of a transmission side and a reception side, data is transferredvia the physical channel.

The MAC layer of Layer 2 (L2) provides services to a radio link control(RLC) layer (which is a higher layer) via a logical channel. The RLClayer of Layer 2 (L2) supports the transmission of data withreliability. It should be noted that the RLC layer illustrated in FIGS.2(b) and 2(c) is depicted because if the RLC functions are implementedin and performed by the MAC layer, the RLC layer itself is not required.The PDCP layer of Layer 2 (L2) performs a header compression functionthat reduces unnecessary control information such that data beingtransmitted by employing Internet protocol (IP) packets, such as IPv4 orIPv6, can be efficiently sent over a radio (wireless) interface that hasa relatively small bandwidth.

A radio resource control (RRC) layer located at the lowest portion ofthe third layer (L3) is only defined in the control plane and controlslogical channels, transport channels and the physical channels inrelation to the configuration, reconfiguration, and release of the radiobearers (RBs). Here, the RB signifies a service provided by the secondlayer (L2) for data transmission between the terminal and the E-UTRAN.

As illustrated in FIG. 2(b), the RLC and MAC layers (terminated in aneNodeB 20 on the network side) may perform functions such as Scheduling,Automatic Repeat Request (ARQ), and hybrid automatic repeat request(HARQ). The PDCP layer (terminated in eNodeB 20 on the network side) mayperform the user plane functions such as header compression, integrityprotection, and ciphering.

As illustrated in FIG. 2(c), the RLC and MAC layers (terminated in aneNodeB 20 on the network side) perform the same functions as for thecontrol plane. As illustrated, the RRC layer (terminated in an eNodeB 20on the network side) may perform functions such as broadcasting, paging,RRC connection management, Radio Bearer (RB) control, mobilityfunctions, and UE measurement reporting and controlling. The NAS controlprotocol (terminated in the MME of gateway 30 on the network side) mayperform functions such as a SAE bearer management, authentication,LTE_IDLE mobility handling, paging origination in LTE_IDLE, and securitycontrol for the signaling between the gateway and UE 10.

The NAS control protocol may use three different states; first, aLTE_DETACHED state if there is no RRC entity; second, a LTE_IDLE stateif there is no RRC connection while storing minimal UE information; andthird, an LTE_ACTIVE state if the RRC connection is established. Also,the RRC state may be divided into two different states such as aRRC_IDLE and a RRC_CONNECTED.

In RRC_IDLE state, the UE 10 may receive broadcasts of systeminformation and paging information while the UE specifies aDiscontinuous Reception (DRX) configured by NAS, and the UE has beenallocated an identification (ID) which uniquely identifies the UE in atracking area. Also, in RRC-IDLE state, no RRC context is stored in theeNodeB.

In RRC_CONNECTED state, the UE 10 has an E-UTRAN RRC connection and acontext in the E-UTRAN, such that transmitting and/or receiving datato/from the network (eNodeB) becomes possible. Also, the UE 10 canreport channel quality information and feedback information to theeNodeB.

In RRC_CONNECTED state, the E-UTRAN knows the cell to which the UE 10belongs. Therefore, the network can transmit and/or receive data to/fromUE 10, the network can control mobility (handover) of the UE, and thenetwork can perform cell measurements for a neighboring cell.

In RRC_IDLE mode, the UE 10 specifies the paging DRX (DiscontinuousReception) cycle. Specifically, the UE 10 monitors a paging signal at aspecific paging occasion of every UE specific paging DRX cycle.

FIG. 3 illustrates a typical handover procedure in an LTE system. Thehandover procedure is made to transfer, or hand off, a pendingcommunication from a source cell, serviced by a source eNodeB 20S, to atarget cell, serviced by a target eNodeB 20T. We consider here the casewhere the source and target cells are not serviced by the same eNodeB.

The source eNodeB 20S configures the UE measurement procedures, whichform part of the RRC protocol depicted in FIG. 2(a), according to arearestriction information provisioned in each eNodeB. This may be done bysending one or more MEASUREMENT CONTROL messages to the UE 10 in theRRC_CONNECTED state, as illustrated in step S1 of FIG. 3. Measurementsrequested by the source eNodeB 20S may assist the function controllingthe UE's connection mobility. The UE 10 is then triggered to sendMEASUREMENT REPORT messages (step S2) according to rules set by e.g.system information broadcast by the source eNodeB and/or specified inthe MEASUREMENT CONTROL message or additional downlink signaling.

For each UE in the RRC_CONNECTED state, the source eNodeB 20S runs oneor more handover control algorithms whose inputs include themeasurements reported by the UE 10 and possibly other measurements madeby the source eNodeB 20S. Depending on the measurements, the sourceeNodeB 20S may decide to hand off the UE 10 to a target eNodeB 20T (stepS3 of FIG. 3). When this occurs, the source eNodeB 20S issues a HANDOVERREQUEST message to the target eNodeB 20T (step S4), passing necessaryinformation to prepare the handover on the target side. Such informationincludes a UE X2 signaling context reference at the source eNodeB, a UES1 EPC signaling context reference, a target cell identifier, an RRCcontext and a SAE bearer context. The UE X2 and UE S1 signaling contextreferences enable the target eNodeB to address the source eNodeB and theEPC. The SAE bearer context includes necessary radio network layer (RNL)and transport network layer (TNL) addressing information.

An admission control function may be performed by the target eNodeB 20Tdepending on the received SAE bearer quality of service (QoS)information to increase the likelihood of a successful handover, if thenecessary resources are available at the target eNodeB (step S5 of FIG.3). If the handover is admitted, the target eNodeB 20T configures theresources according to the received SAE bearer QoS information andreserves a new cell-radio network temporary identifier (C-RNTI) for thesake of identifying the UE 10 in the target cell. The target eNodeB 20Tprepares the handover in layers 1 and 2 and sends a HANDOVER REQUESTACKNOWLEDGE message to the source eNodeB 20S (step S6). The HANDOVERREQUEST ACKNOWLEDGE message includes a transparent container to bepassed to the UE 10. The container may include the new C-RNTI allocatedby the target eNodeB, and possibly some other parameters such as accessparameters, system information blocks (SIBs), etc. The HANDOVER REQUESTACKNOWLEDGE message may also include RNL/TNL information for theforwarding tunnels, if necessary.

In response, the source eNodeB 20S generates the HANDOVER COMMANDmessage of the RRC protocol and sends it towards the UE 10 (step S7). Inparallel (step S8), the source eNodeB 20S transfers to the target eNodeB20T part or all of the packets that are buffered for transmission to theUE and currently in transit towards the UE, as well as informationrelating to acknowledgement status of the packets by the UE.

The HANDOVER COMMAND message includes the transparent container, whichhas been received from the target eNodeB 20T. The source eNodeB appliesthe necessary functions of integrity protection and ciphering to themessage. The UE receives the HANDOVER COMMAND message with the necessaryparameters (new C-RNTI, possible starting time, target eNodeB SIBs etc.)and is thereby instructed by the source eNodeB 20S to perform thehandover. The UE 10 complies with the handover command by detaching fromthe source cell, getting synchronization and accessing the target cell(step S9).

When the UE 10 has successfully accessed the target cell, it sends anHANDOVER CONFIRM message to the target eNodeB 20T using the newlyallocated C-RNTI (step S10 in FIG. 3) to indicate that the handoverprocedure is completed on the UE side. The target eNodeB 20T verifiesthe C-RNTI sent in the HANDOVER CONFIRM message. If the verification ispositive, the EPC is informed by the HANDOVER COMPLETE message from thetarget eNodeB 20T (step S11) that the UE has changed cell. In step S12,the EPC switches the downlink data path to the target side and itreleases any U-plane/TNL resources towards the source eNodeB 20S. TheEPC confirms by returning a HANDOVER COMPLETE ACK message in step S13.

The target eNodeB 20T then informs the source eNodeB 20S that thehandover was successful by sending a RELEASE RESOURCE message (stepS14), which triggers the release of resources, i.e. radio and C-planerelated resources associated to the UE context, by the source eNodeB instep S15.

It happens that a UE 10 in the RRC_CONNECTED state, communicating with agiven eNodeB 20, undergoes a radio link failure. The UE 10 can theneither perform an RRC connection reestablishment procedure to resume thebearer operation with the same eNodeB or a different one, or switch tothe RRC_IDLE state and request a new RRC connection when possible. Aradio link failure can, in particular, occur between steps S6 and S7 inthe handover procedure shown in FIG. 3 (perhaps degradation of the radiolink prior to failure was the reason for the handover decision). In sucha case, the UE 10 will often end up selecting the right target cell,particularly if the target was selected by the source eNodeB 20S basedon channel conditions. Even though the target eNodeB 20T has alreadyobtained all the necessary information about the UE 10 from the sourceeNodeB 20S, the UE 10 may still have to go via the RRC_IDLE state, whichis undesirable as it requires relatively complex procedures involvingthe EPC.

It has been proposed (“Handover Failure Recovery”, R2-071717, 3GPPTSG-RAN WG2 Meeting #58, Kobe, Japan, 7-11 May 2007) to deal with thissituation by letting the source eNodeB 20S send to the target eNodeB20T, in the HANDOVER REQUEST message, the UE identity that may be usedin an RRC connection request if the radio link fails, i.e. the identitythat is used by the UE when accessing a new cell after the cellselection process. When a radio link failure occurs in the preparationphase of the handover, before the UE 10 has a chance to receive theHANDOVER COMMAND message, and if the UE ends up selecting the celltargeted by the handover procedure, the target eNodeB 20T would then beable to identify the UE and indicate to the UE the possibility to reuseits existing RRC connection instead of setting up a brand new connectionand contacting the EPC. In other words, the system would behave as ifthe handover had been successful.

Thus, instead of transmitting the HANDOVER CONFIRM message to the targeteNodeB 20T, the UE 10 undergoing a radio link failure sends an RRCCONNECTION REESTABLISHMENT REQUEST message indicating a UE identifierthat the target eNodeB 20T will use in order to identify the UE and tobe able to link this UE to the UE context received from the sourceeNodeB 20S. If the verification is positive, the target eNodeB 20Tindicates to the UE 10 that its connection can be resumed (it need notswitch to the RRC_IDLE state), by returning a RRC CONNECTIONREESTABLISHMENT message.

The UE identifier indicated by the UE and used by the target eNodeB forcontention resolution may consist of the C-RNTI associated with amessage authentication code for integrity (MAC-I). See “Radio LinkFailure Recovery”, R2-072382, 3GPP TSG-RAN WG2 Meeting #58, Orlando,U.S.A., 25-29 Jun. 2007. The use of a MAC-I provides some securityagainst intruders that may attempt to use the existing connection of alegitimate user. However, the security is not perfect and in particularintruders may replay the UE identifier transmitted by the legitimate UEto try a fraudulent use of the RRC connection.

An object of the present invention is to enhance security in case of aradio link failure taking place while a handover procedure is beingexecuted.

SUMMARY OF THE INVENTION

A handover method for a wireless communications system is herebyproposed. The system has a plurality of base stations servicingrespective cells for communication with wireless devices. The handovermethod comprises:

-   -   for at least one target cell, transmitting a first message from        a source base station to a target base station servicing said        target cell, the first message including an identifier of a        wireless device having a communication link with the source base        station and information for obtaining authentication data for        said wireless device, wherein the authentication data depends on        a secret key available to the wireless device and the source        base station and on an identity of said target cell;    -   upon failure of said communication link, selecting a cell at the        wireless device and transmitting, from the wireless device to        one of the base stations servicing the selected cell, a        reestablishment request message including the identifier of the        wireless device and authentication data depending on the secret        key and on an identity of the selected cell;    -   if the selected cell is a target cell serviced by a target base        station that received a first message, verifying conformity of        the authentication data included in the reestablishment request        message with the authentication data obtained from said first        message; and    -   transferring the communication link to the selected cell if        conformity is verified.

The transmission of the first message, of the HANDOVER REQUEST type, istypically triggered by a handover decision based on measurementsreported by the wireless device to the source base station. However,other handover scenarios are also possible.

Due to the possibility of a link failure during execution of thehandover procedure, it may be a good idea for the network to preparemore than one target base station in parallel because it reduces theprobability of getting the wireless device switched to an idle state andinvolved in more complex signaling to recover a connection to thenetwork. If the different target base stations use the sameauthentication data, a security breach may exist. Namely, an intruderthat would receive the reestablishment request message including thewireless device identifier and the authentication data sent by thewireless device, e.g. to a target base station “A”, could transmit thesame message to a different target base station “B” that was alsoprepared beforehand. Especially in the case where the message would notbe received by station “A”, this would allow the intruder tofraudulently use the connection of the user. Such a security breach isavoided by making the authentication data, such as a MAC-I for example,dependent on the secret key and the identity of each individual targetcell.

Diversification of the authentication data can be further enhanced byusing in its calculation a common time reference between the wirelessdevice and each target base station. The authentication data is thencalculated in the base station servicing the selected cell upon receiptof the reestablishment request message from the wireless device. If sometime has elapsed between the time reference used to generate theauthentication data in the wireless device and the current time,connection reestablishment will be denied. This reduces the securityrisk associated with replay of the same reestablishment request messageby an intruder who eavesdrops a message from the legitimate wirelessdevice.

Another aspect of the invention relates to a wireless device forcommunication with a network having a plurality of base stationsservicing respective cells and adapted for implementing a handovermethod as outlined above. Such a wireless device comprises:

-   -   a detector for detecting failure of a communication link        provided between the wireless device and a source base station;    -   a selector for selecting a cell for further communication with        the network upon detection of the communication link failure;    -   a request generator for generating a reestablishment request        message including an identifier of the wireless device and        authentication data depending on a secret key available to the        wireless device and the source base station and on an identity        of the selected cell;    -   a transmitter adapted for transmitting the reestablishment        request message to one of the base stations servicing the        selected cell.

Still another aspect of the invention relates to a base station forservicing at least one cell in a wireless communications system andadapted for implementing a handover method as outlined above. Such abase station comprises:

-   -   a network interface adapted for receiving a first message from a        source base station of the wireless communications system, the        first message including an identifier of a wireless device        having a communication link with the source base station and        information for obtaining authentication data for said wireless        device, wherein the authentication data depends on a secret key        available to the wireless device and the source base station and        on an identity of a target cell serviced by said base station;    -   a wireless interface adapted for receiving a reestablishment        request message from a wireless device located in said target        cell, the reestablishment request message including an        identifier of said wireless device and authentication data; and    -   a handover controller for transferring the communication link to        said target cell if the wireless device identifier and        authentication data included in the reestablishment request        message match the wireless device identifier included in the        first message and the authentication data obtained from said        first message.

BRIEF DESCRIPTION OF THE DRAWINGS

Other objects, features and advantages of the invention will becomeapparent when reading the following description on non-limitingexemplary embodiments with reference to the accompanying drawings.

FIG. 1 is a block diagram illustrating network structure of an E-UMTS(or LTE) system.

FIGS. 2(a), 2(b) and 2(c) are block diagrams depicting logicarchitecture of typical network entities of the LTE system (FIG. 2(a)),a user-plane (U-plane) protocol stack (FIG. 2(b)) and a control-plane(C-plane) protocol stack (FIG. 2(c)).

FIG. 3 is a diagram illustrating a typical handover procedure in an LTEsystem.

FIG. 4 is a diagram illustrating a handover procedure in an LTE system,in a case where a failure of the radio link takes place during theprocedure.

FIGS. 5 and 6 are diagrams illustrating different possible ways ofgenerating authentication vectors in embodiments of the invention.

DETAILED DESCRIPTION OF THE INVENTION

A handover process in case of radio link failure is depicted in FIG. 4in the particular, non-limiting context of an LTE system.

The beginning of the procedure up to step S6 is quite similar to that ofthe procedure discussed above with reference to FIG. 3 and will not bedescribed again here. However, step S4 in which the HANDOVER REQUESTmessage is transmitted from the source eNodeB 20S to a target eNodeB 20Tis modified (step S4′) to include in the HANDOVER REQUEST message (or ina separate message sent along with the HANDOVER REQUEST message), inaddition to the identifier of the UE 10 for which the handover procedureis initiated, information making it possible to obtain authenticationdata in the form of an authentication vector. The HANDOVER REQUESTmessage is received by each target eNodeB 20T by means of its network X2interface.

It is important to note that the HANDOVER REQUEST message can be sent toseveral target eNodeBs selected in step S3, in order to cope with thefact that in case of a radio link failure, it cannot be foreseen whicheNodeB the UE will select.

How many target cells are taken into account in a given circumstance isa question of configuration of the handover decision algorithms executedby the source eNodeB 20S. If the radio measurements reported by the UEreveal that several eNodeBs may be good candidates for handing off thecommunication, these eNodeBs could (depending on settings of thehandover decision algorithms) be all prepared for handover because theyhave a non-negligible probability of being selected by the UE in case ofradio link failure. In other cases, only one eNodeB will stand as a goodcandidate for handover and in such a case, the HANDOVER REQUEST messagewill be sent to only one target eNodeB 20T. But even in the latter case,the HANDOVER REQUEST should preferably be adapted to include theinformation for obtaining authentication data as described here.

In certain cases, the handover initiation by the transmission of one ormore HANDOVER REQUEST message(s) to one or more target eNodeB may beperformed without taking into account any measurements reported by theUE. For example, in a cell located in a tunnel and serviced by an eNodeBby means of a loss cable antenna, the network engineers usually expectthat the likelihood of a radio link failure prior to reception of theHANDOVER COMMAND message by the UE is fairly high because a UE on boardof a moving vehicle will very often fail to make measurements from atarget cell located out of the tunnel early enough for the network tocomplete the handover procedure before the UE has moved out of range ofthe loss cable antenna. In such a situation, the network engineer alsoknows the most probable target cell(s) which are those (is that) locatedat the exit(s) of the tunnel. So it is possible to anticipate and tosystematically initiate handover procedures to these most probabletarget cells, known from the design of the network, by sendingrespective HANDOVER REQUEST messages to each of their servicing eNodeBs(steps S4′ executed in parallel for these eNodeBs).

It is also noted that the modification of the HANDOVER REQUEST messageto include information to calculate an authentication vector shouldpreferably be done in all handover scenarios, because the source eNodeB20S has no way of being sure that the radio link will not fail prior tocompletion of the handover. If the handover is successful, theauthentication vector will simply not be used. So even in the case ofFIG. 3 (no radio link failure), step S4 can be changed to step S4′.

In the scenario of FIG. 4, the HANDOVER COMMAND message cannot bereceived by the UE 10 because of a radio link failure detected in stepST. The radio link failure is detected, for example, by means of theRLC/MAC procedures of the user plane as illustrated in FIG. 2(b). Boththe UE and eNodeB RLC/MAC entities expect to receive signals at knowntimes and when the signals do not arrive, failure of the radio link canbe determined.

At the source eNodeB 20S, detection of the radio link failure can takeplace before or after transmitting a HANDOVER COMMAND message over thewireless interface. If a HANDOVER COMMAND message was sent, the sourceeNodeB 20S may transfer to each target eNodeB 20T selected in step S3part or all of the packets that are buffered for transmission to the UEand currently in transit towards the UE, as well as information relatingto acknowledgement status of the packets by the UE (step S8 identical tothat described with reference to FIG. 3). The same step S8 can beexecuted to prepare each selected target cell if the source eNodeB 20Sdetects the radio link failure prior to transmitting a HANDOVER COMMANDmessage, as shown in FIG. 4.

When the UE 10 detects the radio link failure, it remains in theRRC_CONNECTED for a while (as long as a timer does not expire), tries toreselect a cell and accesses it by means of the usual random accessprocedures of the PHY layer. If no cell can be accessed and reselectedbefore expiry of the timer, the UE switches to the RRC_IDLE state. Ifthe same (source) eNodeB is selected, the original link is restored andthe handover procedure can be resumed as illustrated in FIG. 3. If adifferent cell is selected, the UE sends to the eNodeB servicing thatcell a message to request the RRC connection to be maintained (stepS9′). This message can be an RRC CONNECTION REESTABLISHMENT REQUESTmessage generated by the RRC entity of the UE in the C-plane (FIG. 2(c))and transmitted over the wireless interface using the lower RLC, MAC andPHY protocol layers. It includes at least:

-   -   an identifier of the UE; and    -   an authentication vector depending on a secret key shared with        the source eNodeB 20S and on an identity of the selected cell.

These items may form part of a UE-identity information element (IE)included in the RRC CONNECTION REESTABLISHMENT REQUEST message. TheUE-identity IE includes, for example, the C-RNTI used in the source cellas the UE identifier, and a message authentication code for integrity(MAC-I) computed as illustrated in FIG. 5 or FIG. 6 as theauthentication vector.

In FIGS. 5 and 6, the MAC-I is calculated by an integrity algorithm 100,which is one of the cryptographic algorithms available in the UEs andeNodeBs and whose input parameters include a secret key shared betweenthe UE 10 and the source eNodeB 20S. This secret key can for example bethe K_(RRCint) key used for the protection of RRC traffic with theintegrity algorithm 100. The K_(RRCint) key is one of the keys derivedfrom a higher level secret key K_(eNB) available to both the sourceeNodeB 20S and the UE 10.

The MAC-I is calculated over further input parameters of the integrityalgorithm 100 which include at least a selected cell ID. Such cell IDmay be a physical layer identity of the selected cell. In the particularexample of FIG. 5, the input parameters of the integrity algorithm 100additionally include:

-   -   the C-RNTI allocated to the UE in the source cell for        communication with the source eNodeB 20S on the (failed) radio        link;    -   a source cell ID, for example the physical layer identity of the        source cell.

In such an embodiment, the information transmitted from the sourceeNodeB 20S to each target eNodeB 20T in the HANDOVER REQUEST message ofstep S4′ in view of the calculation of an authentication vector includesthe secret shared between the source eNodeB 20S and the UE 10 (theK_(RRCint) key in our example). If the source C-RNTI of the UE and/orthe source cell ID are not provided elsewhere in the HANDOVER REQUESTmessage, they can also form part of the information for obtaining theauthentication vector.

It is observed that it is possible to pre-calculate the MAC-I in thesource eNodeB in accordance with FIG. 5, with the physical layeridentity of a target cell as the “Selected Cell-ID” input parameter. Inthis case the information for obtaining the authentication vector(MAC-I) sent with the HANDOVER REQUEST message is reduced to the MAC-Iitself, and of course this information is different from one targeteNodeB to another when a plurality of target eNodeBs 20T are retained inthe handover decision step S3.

In the alternative embodiment of FIG. 6, the input parameters for theintegrity algorithm 100 additionally include a common time referencebetween the UE 10 and the eNodeBs 20 (or at least the eNodeB(s) 20T thatis (are) candidate for the handover). The value of this time referenceis that of a local clock, for which there is some synchronizationbetween the UE and the network, when the algorithm 100 is run, with atruncation accounting for a certain validity period of the MAC-I.

The RRC CONNECTION REESTABLISHMENT REQUEST message transmitted by the UE10 in step S9′ may be received by an eNodeB which was not prepared forthe handover, i.e. which was not contacted by the source eNodeB 20S orwhich denied admission in step S5. In this case, rejection of thereestablishment request is signaled to the UE 10 that may make anothertry by selecting another cell and re-transmitting to it another RRCCONNECTION REESTABLISHMENT REQUEST message. If the UE 10 does notreceive any response to the RRC CONNECTION REESTABLISHMENT REQUESTmessage for a certain time, it can switch to the RRC_IDLE state.

FIG. 4 illustrates the case where the RRC CONNECTION REESTABLISHMENTREQUEST message transmitted by the UE 10 in step S9′ is received by atarget eNodeB 20T which was prepared for the handover of this UE, bymeans of its wireless interface and its C-plane protocol layersRRC/RLC/MAC/PHY as illustrated in FIG. 2(c). This target eNodeB 20T thenverifies in step S10′ whether the authentication vector included in theRRC CONNECTION REESTABLISHMENT REQUEST message matches theauthentication vector obtained from the HANDOVER REQUEST message in stepS4′.

If the authentication vector was not received directly from the sourceeNodeB 20S on the X2 interface, it is calculated by the target eNodeB20T as shown in FIG. 5 or 6 using the information received in theHANDOVER REQUEST message and the ID of the cell accessed by the UE.

If the input parameters include a common time reference as shown in FIG.6, the calculation is done locally by the target eNodeB 20T at the timeof receiving the RRC CONNECTION REESTABLISHMENT REQUEST message, so thatthe time reference is normally the same as used on the UE side.Therefore, if the RRC CONNECTION REESTABLISHMENT REQUEST messagereceived by the target eNodeB 20T is a message fraudulently replayed byan intruder, the update of the common time reference between theoriginal generation of the MAC-I in the legitimate UE and itscalculation in the target eNodeB 20T causes a mismatch so that thereestablishment request is rejected.

Also, if the RRC CONNECTION REESTABLISHMENT REQUEST message was firstsent towards a different cell selected by the legitimate UE, thedependence of the MAC-I on the selected cell ID prevents success of afraudulent replay to a target eNodeB 20T, without any timingconstraints.

When the conformity of the authentication vectors is verified in stepS10′, the handover control function of the target eNodeB 20T transfersthe communication link of the UE to the selected target cell by:

-   -   triggering continuation of the handover procedure with steps S11        to S15 shown in FIG. 4, which are identical to those having the        same reference signs in FIG. 3; and    -   after receiving the HANDOVER COMPLETE ACK message from the EPC        (step S13) completing the RRC connection reestablishment        procedure by returning to the UE 10 an RRC CONNECTION        REESTABLISHMENT message in step S16′. The UE 10 responds by        returning an RRC CONNECTION REESTABLISHMENT COMPLETE message in        step S17′.

In the embodiment illustrated in FIG. 4, the delivery of the bufferedand in transit packets from the source eNodeB 20S to the target eNodeB20T over the X2 interface (step S8) is done as soon as the source eNodeB20S receives the HANDOVER REQUEST ACKNOWLEDGE message of step S6.Alternatively, when a radio link failure is detected in step S7′, thesource eNodeB 20S may wait for some indication that the UE 10 hassuccessfully accessed a target eNodeB 20T and authenticated itself. Insuch an alternative, the target eNodeB 20T that verified conformity ofthe authentication vector in step S10′ can contact the source eNodeB20S, before or after receiving the HANDOVER COMPLETE ACK message fromthe EPC, in order to recover the buffered and in transit packets.

Embodiments of the invention have been disclosed above in theillustrative case of a 3GPP LTE system. Those skilled in the wirelesscommunication art will appreciate that various modifications can bebrought to these embodiments without departing from the invention andfrom the attached claims. They will also appreciate that the inventionis applicable to communications systems other than 3GPP LTE systems.

What is claim is:
 1. A handover method for a wireless communicationssystem having a plurality of base stations servicing respective cellsfor communication with wireless devices, the method comprising: for atleast one target cell, transmitting a first message from a source basestation to a target base station servicing said target cell, the firstmessage including an identifier of a wireless device having a radio linkwith the source base station and information for obtaining a firstmessage authentication code for integrity (MAC-I) for said wirelessdevice; upon failure of said radio link, selecting a cell at thewireless device and transmitting, from the wireless device to one of thebase stations servicing the selected cell, a reestablishment requestmessage requesting a reestablishment of a radio link, wherein thereestablishment request message includes the identifier of the wirelessdevice and a second MAC-I; if the selected cell is a target cellserviced by the target base station that received the first message,verifying conformity of the first MAC-I and the second MAC-I; andtransferring the radio link to the selected cell if the conformity isverified.